GetProcAddress API Alternative

March 14, 2020
Delphi, Alternative, Export, GetProcAddress, LoadLibrary, PE Header

In the past two days, I released examples about how to enumerate DLL export table through the PE Header. We will see one concreate example of using the UntEnumDLLExport.pas library to dynamically load API without using the famous Windows API > GetProcAddress() This technique is quite known and often used by some Malware, to mask which API’s they are dynamically loading and avoid Antivirus detection. To do so, we still need to use LoadLibrary() first to load a DLL in memory and retrieve it address, then iterate through loaded DLL export table and catch target function address. ...

Enum DLL Exported Functions

March 12, 2020
Windows, Delphi, DLL, Export, Library, PE Header, Exported Functions

This unit demonstrate how to enumerate DLL exported functions through PE Header manipulation. Features Support both 32 and 64bit DLL’s. Identify exported function names. Identify exported function ordinal value. Support and resolve forwarded function. Identify export function address and relative address. Unit Code (******************************************************************************* Author: -> Jean-Pierre LESUEUR (@DarkCoderSc) https://github.com/DarkCoderSc https://gist.github.com/DarkCoderSc https://www.phrozen.io/ License: -> MIT *******************************************************************************) unit UntEnumDLLExport; interface uses Classes, Windows, Generics.Collections, SysUtils; type TExportEntry = class private FName : String; FForwarded : Boolean; FForwardName : String; FRelativeAddr : Cardinal; FAddress : Int64; FOrdinal : Word; {@M} function GetFormatedAddress() : String; function GetFormatedRelativeAddr() : String; public {@C} constructor Create(); {@G/S} property Name : String read FName write FName; property Forwarded : Boolean read FForwarded write FForwarded; property ForwardName : String read FForwardName write FForwardName; property Address : Int64 read FAddress write FAddress; property RelativeAddr : Cardinal read FRelativeAddr write FRelativeAddr; property Ordinal : Word read FOrdinal write FOrdinal; {@G} property FormatedAddress : String read GetFormatedAddress; property FormatedRelativeAddress : String read GetFormatedRelativeAddr; end; TEnumDLLExport = class private FItems : TObjectList<TExportEntry>; FFileName : String; {@M} public {@C} constructor Create(AFileName : String); destructor Destroy(); override; {@M} function Enum() : Integer; {@G} property Items : TObjectList<TExportEntry> read FItems; property FileName : String read FFileName; end; implementation {+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Local Functions +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++} function IntToHexF(AValue : Int64; APad : Word = 0 {0=Auto}) : String; begin if (APad = 0) then begin if (AValue <= High(Word)) then APad := 2 else if (AValue <= High(DWORD)) and (AValue > High(Word)) then APad := 8 else if (AValue <= High(Int64)) and (AValue > High(DWORD)) then APad := 16; end; result := '0x' + IntToHex(AValue, APad); end; {+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TExportEntry +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++} constructor TExportEntry. ...